Channels

Services

Compromised SquirrelMail packages discovered

Packages for the SquirrelMail webmail system were modified after their official release on December 5. According to the developers, the package compromise happened on December 8 and was just recently discovered because of mismatching MD5 checksums. However, only the packages of the current stable version 1.4.12 seem to have been affected.

While the developers trace the modifications back to a potentially compromised maintainer account, they believe that the unauthorised modifications have "little to no impact". According to their analysis, a program error is the worst possible consequence. However, they also state that they cannot follow the modifications completely.

Therefore, the developers recommend for security reasons that all SquirrelMail admins who downloaded their installation archives from the project page between December 8 and 13 reinstall the original packages now available for download. The MD5 checksums of the unmodified archives are: